diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 13dbec950a..ae9b6a3a85 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -46,7 +46,8 @@ parameters: default: true description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. + relevant keys for libvirt. NOTE. this is currently being + ignored and TLS for libvirtd is always disabled for now. DockerNovaMigrationSshdPort: default: 2022 description: Port that dockerized nova migration target sshd service @@ -70,14 +71,14 @@ parameters: conditions: - use_tls_for_live_migration: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForLiveMigration} - - true + use_tls_for_live_migration: false + # and: + # - equals: + # - {get_param: EnableInternalTLS} + # - true + # - equals: + # - {get_param: UseTLSTransportForLiveMigration} + # - true need_libvirt_secret: or: diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index ac7cc8f19e..38608bf498 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -66,7 +66,8 @@ parameters: default: true description: If set to true and if EnableInternalTLS is enabled, it will set the libvirt URI's transport to tls and configure the - relevant keys for libvirt. + relevant keys for libvirt. NOTE. this is currently being + ignored and TLS for libvirtd is always disabled for now. InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -100,14 +101,14 @@ parameters: conditions: - use_tls_for_live_migration: - and: - - equals: - - {get_param: EnableInternalTLS} - - true - - equals: - - {get_param: UseTLSTransportForLiveMigration} - - true + use_tls_for_live_migration: false + # and: + # - equals: + # - {get_param: EnableInternalTLS} + # - true + # - equals: + # - {get_param: UseTLSTransportForLiveMigration} + # - true libvirt_specific_ca_unset: equals: diff --git a/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml new file mode 100644 index 0000000000..d97e48ed90 --- /dev/null +++ b/releasenotes/notes/libvirtd-tls-6de6fb35e0ac0ab1.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Live migration over TLS has been disabled since the settings it was using + don't meet the required security standards. It is currently not possible to + enable it via t-h-t.